Merge pull request #406 from abraham2512/acm-route-policy-rmf

telco-ran: OCPBUGS-63008: Improve RAN monitoring footprint CR to get alertmanager url from MCL annotation

Author: openshift-merge-bot[bot]

telco-core/configuration/reference-crs/optional/other/monitoring-config-cm.yaml

@@ -1,6 +1,8 @@
 # optional
 # count: 1
 ---
+# Core Observability configuration
+# As a prerequisite for merging Core Observability configuration with openshift-monitoring, apply the observabilityRoutePolicy on the HUB from the telco-hub required reference-crs. This is needed to copy the alert-manager URL from the hub side open-cluster-management-observability namespace and make it available in the openshift-monitoring configmap.
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -27,7 +29,7 @@ data:
           name: observability-alertmanager-accessor
         scheme: https
         staticConfigs:
-        - {{ if (lookup "v1" "Namespace" "" "open-cluster-management-addon-observability") }}{{ (regexFind "alertmanager-endpoint(.*)" ((fromSecret "open-cluster-management-addon-observability" "hub-info-secret" "hub-info.yaml") | base64dec)) | replace "alertmanager-endpoint: https://" "" }}{{ end }}
+        - {{ if (lookup "v1" "Namespace" "" "open-cluster-management-addon-observability") }}{{hub index (lookup "cluster.open-cluster-management.io/v1" "ManagedCluster" "" .ManagedClusterName).metadata.annotations "acm-alertmanager-route" hub}}{{ end }}
         tlsConfig:
           ca:
             key: service-ca.crt

telco-hub/configuration/reference-crs-kube-compare/compare_ignore

@@ -36,6 +36,10 @@ required/acm/acmPerfSearch.yaml
 # compare does not include the full policy content due to policy templating.
 required/acm/thanosSecretPolicy.yaml
 required/gitops/addPluginsPolicy.yaml
+# observabilityRoutePolicy is ignored as reference compare does 
+# not include the full policy content due to policy templating.
+required/acm/observabilityRoutePolicy.yaml
+
 required/gitops/extra-manifests-policy.yaml
 # ArgoCD files
 kustomization.yaml

telco-hub/configuration/reference-crs/required/acm/observabilityRoutePolicy.yaml

@@ -0,0 +1,81 @@
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  annotations:
+    policy.open-cluster-management.io/categories: CM Configuration Management
+    policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
+    policy.open-cluster-management.io/standards: NIST SP 800-53
+    ran.openshift.io/ztp-deploy-wave: "1"
+  name: obs-route-policy
+  namespace: open-cluster-management-observability
+spec:
+  remediationAction: enforce
+  disabled: false
+  policy-templates:
+    - objectDefinition:
+        apiVersion: policy.open-cluster-management.io/v1
+        kind: ConfigurationPolicy
+        metadata:
+          name: obs-route-policy
+        spec:
+          remediationAction: enforce
+          severity: low
+          namespaceSelector:
+            exclude:
+              - kube-*
+            include:
+              - '*'
+          object-templates-raw: |
+            {{- range (lookup "cluster.open-cluster-management.io/v1" "ManagedCluster" "" "").items }}
+            - metadataComplianceType: musthave
+              objectDefinition:
+                apiVersion: cluster.open-cluster-management.io/v1
+                kind: ManagedCluster
+                metadata:
+                  name: {{ .metadata.name }}
+                  annotations:
+                    acm-alertmanager-route: '{{ (lookup "route.openshift.io/v1" "Route" "open-cluster-management-observability" "alertmanager").spec.host }}'
+            {{- end }}
+---
+apiVersion: cluster.open-cluster-management.io/v1beta1
+kind: Placement
+metadata:
+  name: obs-route-policy-placement
+  namespace: open-cluster-management-observability
+spec:
+  predicates:
+    - requiredClusterSelector:
+        labelSelector:
+          matchExpressions:
+            - key: local-cluster
+              operator: In
+              values:
+                - "true"
+  tolerations:
+    - key: cluster.open-cluster-management.io/unavailable
+      operator: Exists
+    - key: cluster.open-cluster-management.io/unreachable
+      operator: Exists
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PlacementBinding
+metadata:
+  name: obs-route-policy-placementbinding
+  namespace: open-cluster-management-observability
+placementRef:
+  name: obs-route-policy-placement
+  kind: Placement
+  apiGroup: cluster.open-cluster-management.io
+subjects:
+  - name: obs-route-policy
+    kind: Policy
+    apiGroup: policy.open-cluster-management.io
+---
+apiVersion: cluster.open-cluster-management.io/v1beta2
+kind: ManagedClusterSetBinding
+metadata:
+  name: default
+  namespace: open-cluster-management-observability
+spec:
+  clusterSet: default

telco-hub/configuration/reference-crs/required/acm/readme.md

@@ -26,7 +26,8 @@
       Thanos secret.
 12. Create the `observabilityMCO.yaml`.
 13. When all the installation is done. Apply the `acmPerfSearch.yaml` .This will configure Search CR called `search-v2-operator` considering different performance and scale optimizations.
-14. When ACM Observability is configured on a managed cluster through the Core or RAN profile, the default ACM Observability configuration must be merged with the RAN monitoring tuning [ReduceMonitoringFootprint.yaml](../../../../../telco-ran/configuration/source-crs/ReduceMonitoringFootprint.yaml) or Core monitoring config [monitoring-config-cm.yaml](../../../../../telco-core/configuration/reference-crs/optional/other/monitoring-config-cm.yaml) respectively. To ensure that these changes persist, ACM has to stop managing the cluster-monitoring-config ConfigMap, which is set in this annotation [here](../../../../../telco-hub/configuration/reference-crs/required/acm/observabilityMCO.yaml#L13).
+14. When ACM Observability is configured on a managed cluster through the Core or RAN profile, the default ACM Observability configuration must be merged with the RAN monitoring tuning [ReduceMonitoringFootprint.yaml](../../../../../telco-ran/configuration/source-crs/ReduceMonitoringFootprint.yaml) or Core monitoring config [monitoring-config-cm.yaml](../../../../../telco-core/configuration/reference-crs/optional/other/monitoring-config-cm.yaml) respectively.
+    * To ensure that these changes persist, ACM has to stop managing the cluster-monitoring-config ConfigMap, which is achieved through this annotation [here](../../../../../telco-hub/configuration/reference-crs/required/acm/observabilityMCO.yaml#L13).
+    * When mco-alerting is disabled, the [obs-route-policy](observabilityRoutePolicy.yaml) should be used for propagating the alertmanager URL from the ACM observability route to all managed clusters through the `acm-alertmanager-route` annotation.
 
 Back to [Hub Cluster Setup](../../../../README.md).
-

telco-ran/configuration/kube-compare-reference/cluster-tuning/monitoring-configuration/ReduceMonitoringFootprint.yaml

@@ -1,3 +1,6 @@
+---
+# RAN Observability configuration
+# As a prerequisite for merging RAN Observability configuration with openshift-monitoring, apply the observabilityRoutePolicy on the HUB from the telco-hub required reference-crs. This is needed to copy the alert-manager URL from the hub side open-cluster-management-observability namespace and make it available in the openshift-monitoring configmap.
 apiVersion: v1
 kind: ConfigMap
 metadata:

telco-ran/configuration/kube-compare-reference/hack/default_value.yaml

@@ -331,7 +331,7 @@ cluster_tuning_monitoring_configuration_ReduceMonitoringFootprint:
   - metadata:
       name: cluster-monitoring-config
     captureGroup_defaults:
-      alertmanager_endpoint: '{{ `{{ if (lookup "v1" "Namespace" "" "open-cluster-management-addon-observability") }}{{ (regexFind "alertmanager-endpoint(.*)" ((fromSecret "open-cluster-management-addon-observability" "hub-info-secret" "hub-info.yaml") | base64dec)) | replace "alertmanager-endpoint: https://" "" }}{{ end }}` }}'
+      alertmanager_endpoint: '{{ `{{ if (lookup "v1" "Namespace" "" "open-cluster-management-addon-observability") }}{{hub index (lookup "cluster.open-cluster-management.io/v1" "ManagedCluster" "" .ManagedClusterName).metadata.annotations "acm-alertmanager-route" hub}}{{ end }}` }}'
       managed_cluster: '{{ `{{ fromClusterClaim "id.openshift.io" }}` }}'
 lca_LcaSubscription:
   - spec:

telco-ran/configuration/source-crs/cluster-tuning/monitoring-configuration/ReduceMonitoringFootprint.yaml

@@ -1,3 +1,6 @@
+---
+# RAN Observability configuration
+# As a prerequisite for merging RAN Observability configuration with openshift-monitoring, apply the observabilityRoutePolicy on the HUB from the telco-hub required reference-crs. This is needed to copy the alert-manager URL from the hub side open-cluster-management-observability namespace and make it available in the openshift-monitoring configmap.
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -30,7 +33,7 @@ data:
           name: observability-alertmanager-accessor
         scheme: https
         staticConfigs:
-        - {{ if (lookup "v1" "Namespace" "" "open-cluster-management-addon-observability") }}{{ (regexFind "alertmanager-endpoint(.*)" ((fromSecret "open-cluster-management-addon-observability" "hub-info-secret" "hub-info.yaml") | base64dec)) | replace "alertmanager-endpoint: https://" "" }}{{ end }}
+        - {{ if (lookup "v1" "Namespace" "" "open-cluster-management-addon-observability") }}{{hub index (lookup "cluster.open-cluster-management.io/v1" "ManagedCluster" "" .ManagedClusterName).metadata.annotations "acm-alertmanager-route" hub}}{{ end }}
         tlsConfig:
           ca:
             key: service-ca.crt